USN-779-1: Firefox and Xulrunner vulnerabilities

Ubuntu Security Notice USN-779-1

firefox-3.0, xulrunner-1.9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 9.04

Ubuntu 8.10

Ubuntu 8.04 LTS

Software description

firefox-3.0

xulrunner-1.9

Details

Several flaws were discovered in the browser and JavaScript engines ofFirefox. If a user were tricked into viewing a malicious website, a remoteattacker could cause a denial of service or possibly execute arbitrary codewith the privileges of the user invoking the program. (CVE-2009-1392,CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838)

Pavel Cvrcek discovered that Firefox would sometimes display certaininvalid Unicode characters as whitespace. An attacker could exploit this tospoof the location bar, such as in a phishing attack. (CVE-2009-1834)

Gregory Fleischer, Adam Barth and Collin Jackson discovered that Firefoxwould allow access to local files from resources loaded via the file:protocol. If a user were tricked into downloading then opening a maliciousfile, an attacker could steal potentially sensitive information.(CVE-2009-1835, CVE-2009-1839)

Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that Firefoxdid not properly handle error responses when connecting to a proxy server.If a remote attacker were able to perform a man-in-the-middle attack, thisflaw could be exploited to view sensitive information. (CVE-2009-1836)

It was discovered that Firefox could be made to run scripts with elevatedprivileges. If a user were tricked into viewing a malicious website, anattacker could cause a chrome privileged object, such as the browsersidebar, to run arbitrary code via interactions with the attackercontrolled website. (CVE-2009-1841)

Update instructions

The problem can be corrected by updating your system to the following
package version: